Merge pull request #64 from TNG/validate-spdx

Validate spdx

Author: maxhbr

.github/workflows/sbom.yaml

@@ -23,6 +23,10 @@ on:
         description: Whether to include modules into the sbom
         default: false
         type: boolean
+      validate:
+        description: Whether to valdiate the generated spdx document using the java spdx tools
+        default: false
+        type: boolean
   workflow_call:
     inputs:
       test_archive:
@@ -37,6 +41,9 @@ on:
       use_modules:
         required: true
         type: boolean
+      validate:
+        required: true
+        type: boolean
 
 run-name: ${{ inputs.test_archive }}
 
@@ -93,7 +100,7 @@ jobs:
           test_archive="${{ inputs.test_archive }}"
           output_dir="${test_archive%.tar.gz}"
           echo "output_dir=$output_dir" >> $GITHUB_OUTPUT
-      
+
       - name: Upload Artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -102,3 +109,14 @@ jobs:
             sbom.spdx.json
             sbom.used_files.txt
           retention-days: 30
+        
+      - name: Validate sbom.spdx.json
+        id: validate_sbom
+        run: |
+          export SPDX_TOOLS_VERSION=2.0.2
+          curl -LO "https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip"
+          unzip -j "tools-java-${SPDX_TOOLS_VERSION}.zip" "tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar"
+          java -Xmx15G -Xms12G -jar "tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar" Verify "sbom.spdx.json"
+        if: ${{ inputs.validate }}
+      
+     

.github/workflows/sbom_all_configs.yaml

@@ -21,6 +21,7 @@ jobs:
       output_tree: ${{ matrix.output_tree || 'kernel_build' }}
       arch: ${{ matrix.arch || 'x86' }}
       use_modules: ${{ matrix.use_modules != 'false' && inputs.use_modules }} # use string 'false' because boolean false and undefined are undistinguishable 
+      validate: ${{ matrix.validate == 'true' }} # memory requirements on github runners are only sufficient for small configs
     strategy:
       fail-fast: false 
       matrix:
@@ -39,8 +40,10 @@ jobs:
           # v6.17
           - test_archive: linux.v6.17.tinyconfig.x86.tar.gz
             use_modules: 'false'
+            validate: 'true'
           # - test_archive: linux.v6.17.defconfig.x86.tar.gz
           - test_archive: linux.v6.17.defconfig.x86.rust.tar.gz
+            validate: 'true'
           - test_archive: linux.v6.17.allmodconfig.x86.tar.gz
           # - test_archive: linux.v6.17.localmodconfig.Ubuntu24.04.x86.tar.gz
           - test_archive: linux.v6.17.y.gregkh-linux-stable.x86.tar.gz

sbom/lib/sbom/spdx/core.py

@@ -91,11 +91,14 @@ class SoftwareAgent(Agent):
 @dataclass(kw_only=True)
 class CreationInfo(SpdxObject):
     type: str = field(init=False, default="CreationInfo")
-    spdxId: SpdxId = "_:creationinfo"
+    id: SpdxId = "_:creationinfo"
     specVersion: str = SPDX_SPEC_VERSION
     createdBy: list[Agent]
     created: str = field(default_factory=lambda: datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"))
 
+    def to_dict(self) -> dict[str, Any]:
+        return {("@id" if k == "id" else k): v for k, v in super().to_dict().items()}
+
 
 @dataclass(kw_only=True)
 class Relationship(Element):
@@ -111,10 +114,7 @@ def __post_init__(self):
             self.spdxId = generate_spdx_id(f"Relationship_{self.relationshipType}")
 
     def to_dict(self) -> dict[str, Any]:
-        d = super().to_dict()
-        d["from"] = d.pop("from_")
-        d["to"] = d.pop("to")
-        return d
+        return {("from" if k == "from_" else k): v for k, v in super().to_dict().items()}
 
 
 @dataclass(kw_only=True)

sbom/lib/sbom/spdx/software.py

@@ -42,4 +42,4 @@ class File(SoftwareArtifact):
     type: str = field(init=False, default="software_File")
     spdxId: SpdxId = field(default_factory=lambda: generate_spdx_id("software_File"))
     name: str  # type: ignore
-    software_FileKind: FileKindType | None = None
+    software_fileKind: FileKindType | None = None

sbom/lib/sbom/spdx/spdxId.py

@@ -5,10 +5,12 @@
 import uuid
 
 SpdxId = str
-_spdx_uri_prefix = "https://kernel.org/"
+_spdx_uri_prefix = "https://spdx.org/spdxdocs/"
 _uuid = uuid.uuid4()
 _counter = count(0)
 
+_generated_ids: dict[str, int] = {}
+
 
 def set_spdx_uri_prefix(prefix: str) -> None:
     global _spdx_uri_prefix
@@ -18,4 +20,14 @@ def set_spdx_uri_prefix(prefix: str) -> None:
 def generate_spdx_id(object_type: str, object_suffix: str | None = None) -> SpdxId:
     if object_suffix is None:
         object_suffix = f"gnrtd{next(_counter)}"
-    return f"{_spdx_uri_prefix}{_uuid}/{object_type}#{object_suffix}"
+    spdxId = f"{_spdx_uri_prefix}{_uuid}/{object_type}#{object_suffix}"
+
+    # compare spdxIds case-insensitively and deduplicate if needed
+    spdxId_lower = spdxId.lower()
+    if spdxId_lower in _generated_ids:
+        _generated_ids[spdxId_lower] += 1
+        spdxId += f"-{_generated_ids[spdxId_lower]}"
+    else:
+        _generated_ids[spdxId_lower] = 0
+
+    return spdxId

sbom/lib/sbom/spdx_graph.py

@@ -57,12 +57,12 @@ def build_spdx_graph(
     src_tree_element = File(
         spdxId=generate_spdx_id("software_File", "$(src_tree)"),
         name="$(src_tree)",
-        software_FileKind="directory",
+        software_fileKind="directory",
     )
     output_tree_element = File(
         spdxId=generate_spdx_id("software_File", "$(output_tree)"),
         name="$(output_tree)",
-        software_FileKind="directory",
+        software_fileKind="directory",
     )
     src_tree_contains_relationship = Relationship(
         relationshipType="contains",

sbom/sbom.py

@@ -84,7 +84,7 @@ def _parse_args() -> Args:
     )
     parser.add_argument(
         "--spdx-uri-prefix",
-        default="https://kernel.org/",
+        default="https://spdx.org/spdxdocs/",
         help="The uri prefix to be used for all 'spdxId' fields in the spdx document",
     )
     parser.add_argument(